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Suppose Alice wants to perform some computation tliat could be done quickly on a 
' quantum computer, but she cannot do universal quantum computation. Bob can do 

^ ' universal quantum computation and claims he is willing to help, but Alice wants to be 

, sure that Bob cannot learn her input, the result of her calculation, or perhaps even the 

■ function she is trying to compute. We describe a simple, efficient protocol by which Bob 

' can help Alice perform the computation, but there is no way for him to learn anything 

about it. We also discuss techniques for Alice to detect whether Bob is honestly helping 
her or if he is introducing errors. 



1 Introduction 



The idea of processing information stored in quantum states has spawned numerous cryp- 
tographic appUcations. A few examples include quantum key distribution 1 , which allows 
(~| ' remote parties to securely establish a shared list of random numbers; a fast quantum algorithm 

^ , for factoring (2j, which can be used to break certain classical cryptosystems; quantum secret 

sharing by which a secret quantum state can be divided among several parties; quantum 
data hiding which offers an information theoretically secure way of sharing a classi- 

cal secret; quantum digital signatures 17', which can be used to authenticate documents; and 
' secure quantum channels 8,9, 10, 11). which allow secure transmission of quantum states. 

■ But there are also a number of negative results about the possible cryptographic applica- 

tions of quantum information, such as the impossibility of an unconditionally secure quantum 
protocol for bit commitment A related result is the impossibility of "secure two-party 

computation," in which two parties collaborate to compute a function without revealing their 
inputs U3] (although in general, secure ■multi-pa.ity quantum computation is possible |15[ll6p . 
However, this does not rule out all forms of collaborative computation by two parties: for ex- 
ample, what if one of the parties wishes to assist the other, with no possibility of learning the 
input or output of the computation? We will show that this kind of two-party computation 
can be done securely. 

More precisely, the problem we will consider is the following; imagine that Alice would like 
to perform a quantum computation in secret, but although she can do some basic quantum 
gates, she does not have a full-fledged quantum computer. Bob, who runs a company that 
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sells time on its quantum supercomputer, would like to supply Alice with the resources she 
needs to perform her computation. But Alice does not trust Bob; she needs to be absolutely 
sure that he cannot learn anything about her computation, i.e., that the state Bob sees at 
any time is the same, independent of her actual quantum state. Can they carry out an 
unconditionally secure protocol by which Bob can assist Alice? In this paper, we describe 
protocols that answer this question in the afhrmative. 

To fully specify our question, we must decide exactly what resources are allowed. Three 
kinds of resources must be specified: operations available to Alice, operations available to Bob, 
and ways in which they can communicate. We will always allow Bob to do universal quantum 
computation and make arbitrary quantum measurements, and we will allow bidirectional 
quantum communication. There are many possible restrictions on Alice's resources that 
might be of interest, but we will choose the most restrictive set under which Bob can help 
her do universal quantum computation. We will allow Alice to store quantum states and to 
route her qubits (i.e., perform the swap gate), but we will suppose that the only nontrivial 
gates she can perform are the Pauli gates, 
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Z := 
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(1) 



(with which she can perform their product XZ, etc.). This gate set fails to be universal in 
two important ways. First, Alice cannot perform any interactions between qubits. Second, 
the single-qubit gates she can perform are restricted to the discrete set {/, X, Z, XZ} (up to 
an overall phase"), which forms a group (the Pauli group) under multiplication. In addition 
to the restrictions on her gates, we will suppose that Alice can only prepare the |0) state, 
and she cannot perform measurements. Alice also must be able to generate random classical 
bits (say, by flipping unbiased coins) and to perform Pauli gates conditioned on the values of 
these classical bits. 

Note that a related question has been considered in the classical setting. As we argue in 
Sectional there is no reasonable restriction on Alice's gate set under which she can carry out a 
classical protocol analogous to our quantum protocols. However, one can instead assume Alice 
has the ability to perform polynomial-time computation and ask whether she can securely 
receieve help from an arbitrarily powerful Bob. For certain particular problems this is the 
case whereas for other problems (in particular, NP-hard ones), it is not j^J^j. In 

contrast, our protocols make no computational assumptions, and will apply to any quantum 
circuit known to Alice, not just the computation of a particular function. 

All of the protocols we present are applications of a quantum version of the Vernam cipher 
|2l)| . also known as private key encryption or the one-time pad. The classical Vernam cipher 
works as follows: suppose Alice wishes to securely send a bit b to Charlie. She and Charlie 
share another bit k, the key, that is randomly chosen to be either or 1, each with probability 
i. Alice computes the message bit to = 6 fc, where ® denotes addition modulo two, and 
sends it to Charlie. Since he knows k, he can compute h = m® k. However, an eavesdropper 
(whom we shall call Eve) who does not know k can learn nothing about h since b and to have 



"For simplicity, we identify operators that differ by an overall phase, since such phases are irrelevant in all 
the situations we consider. Equivalently, we could multiply all operators by a phase so that they have unit 
determinant. 



Andrew M. Childs 3 



k-- 



X 



r ~ ~] 
H Eve K 



X 



• L _ J - 

Alice Charlie 
Fig. 1. Quantum circuit for the private quantum channel. The double lines represent randomly 
chosen classical bits j and k that are shared by Alice and Charlie. Whether the gates are performed 
or not depends on the values of j and k as indicated. 



zero mutual information. To send multiple bits, Alice and Charlie can repeat this procedure, 
using a new random key bit for each message bit. 

The private quantum channel is a quantum analogue of this protocol in which the key 
remains classical, but the channel is used to send quantum states |H1 E] . (Note that this 
differs from the quantum Vernam cipher, in which the key is also a quantum state In 
the private quantum channel, Alice and Charlie need to share two classical bits j and k for 
Alice to send her qubit. The circuit shown in Fig. ^ summarizes their protocol. Alice applies 
the unitary operator Z^X^ to her state and sends the result to Charlie. In between. Eve 
may intercept the state, but since she doesn't know j or fc, she sees the density matrix 

\ ^ Z^X^\^){^\X^Z^ = i (2) 

j,k=0 

independent of jV')- From Eve's perspective, Alice has applied the depolarizing channel, so 
Eve can learn nothing about the state. Although she can destroy the state or change it in 
some way, she cannot learn anything about it. Assuming she does nothing, Charlie will receive 
the state Z^Xi\ip). Since he knows the values of j and fc, he can apply the inverse operation 
X^ Z^ to recover the original state. If Alice wants to send Charlie n qubits, they can repeat 
the procedure independently for each qubit, using a total of 2n random classical bits as the 
key. From Eve's perspective, the density matrix of all n qubits is again maximally mixed, 
independent of Alice's state, so the procedure is secure. 

We will show how the idea of a private quantum channel can be adapted to allow Bob to 
help Alice perform a quantum computation. The main idea behind these circuits is that Alice 
can use a private quantum channel to securely send qubits to herself. Since Alice is both the 
sender and the receiver, there is no need for her to distribute a key. Alice sends her qubits 
by way of Bob, who plays the part of the eavesdropper. However, instead of trying to learn 
Alice's state (which of course would be futile), he intentionally performs the gate Alice would 
like to be able to do. After he gives it back to Alice, she performs an appropriate decoding 
operation. Of course, this procedure is only useful if the decoding operation can be performed 
using only the restricted set of gates available to Alice, which is not necessarily the case for 
arbitrary gates. 

We begin in Sec. |21 by showing how Bob can help Alice perform a measurement in the 
computational basis, and then show how he can help her complete her gate set to do universal 
quantum computation in Sec. 13 We give a unified description of /c-round protocols for secure 
assisted gates in Sec. 0] and we discuss why they have no meaningful classical analogue in 
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Fig. 2. Secure assisted computational basis measurement. The classical bits j and k are randomly 
chosen, and their values determine whether Alice applies certain gates. The meter inside a dashed 
box represents a computational basis measurement, the action performed by Bob if he is honest. 
Even if he does some other operation, he can learn nothing about Alice's data. 



Sec.|Sl In Seciniwe discuss the question of whether AUce can determine whether Bob is being 
honest. Finally, in SecElwe conclude with a discussion and some open questions. 



2 Secure assisted measurement 

First, we describe how Bob can make a measurement for Alice. We begin by discussing a 
classical version of the protocol. Suppose Alice has a classical bit 6, but although she can 
manipulate it, she cannot read its value. However, she can securely send her bit to Bob and 
ask him to read it for her. Alice chooses a key bit k at random and computes bQ) k. She then 
gives the result to Bob, who reads the result and tells it to her. To determine the value of 
her original bit b, she simply flips the result if fc = 1 and does nothing otherwise. 

This classical procedure doesn't seem very useful since reading the value of a classical bit is 
usually an easy thing to do. But quantum measurement is a difficult task, so we can imagine 
a scenario in which Alice can coherently manipulate her qubits, but she cannot measure them. 
In such a situation, there is a quantum version of the above measurement protocol that allows 
Bob to make a measurement of Alice's state in the computational basis. Alice chooses two 
random bits j and k and applies the unitary operator Z^X^ to her state. She then gives the 
qubit to Bob. He can acquire no information from this state since from his point of view, 
by (|2J) the density matrix is maximally mixed, independent of Alice's actual state. However, 
if he measures the qubit in the computational basis and reports the result to Alice, she can 
determine the result of the corresponding measurement on her original state. The Z operator 
does not change the measurement result, and the X operator flips it, so Alice should flip the 
result if J = 1 and not flip it if j = 0. A quantum circuit for this protocol is shown in Fig. [21 



3 Secure assisted gates 

We now describe how Bob can help Alice perform universal quantum computation. We do 
this by showing that she can perform a universal set of gates. In particular, we present circuits 
by which she can securely perform the Hadamard gate. 
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the 7r/8 gate, 
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Fig. 3. Secure assisted Hadamard gate. The gate in the dashed box is what would be performed 
by an honest Bob, but if he performs some other operation, he will learn nothing about Alice's 
data. 
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and the controlled-NOT gate (a two-qubit interaction), 

c:= : : : : . (5) 



This gate set is universal for quantum computation in the sense that any unitary transfor- 
mation can be approximated arbitrarily closely by some sequence of these gates |21) . Thus, 
the circuits for secure implementation of these gates can be used as subroutines to perform 
an arbitrary quantum computation. 

The simplest of these constructions is the protocol for a secure Hadamard gate. Alice 
chooses two random classical bits j and k. To randomize her state so that Bob can learn 
nothing from it, Alice applies Z^X^ to her qubit. She then passes it to Bob. By 0, Bob's 
density matrix is maximally mixed, independent of Alice's actual state. If Bob is honest, he 
performs a Hadamard gate and hands the qubit back to Alice. Now she must correct her 
qubit so it is as if only the Hadamard were applied. Because XHZ = ZHX = H , Z can be 
undone by X and X can be undone by Z . Thus Alice can appropriately fix her state using 
only Pauli gates, regardless of the values of j and k. The resulting circuit, shown in Fig.|31 
is equivalent to a Hadamard gate if Bob is honest. If he is dishonest, he can destroy Alice's 
qubit or give her the wrong result, but he can learn nothing from the state she gave him. 

A similar procedure can be used to perform a controlled-NOT gate. Since this is a two 
qubit gate, Alice must choose /owr random classical bits j, fc, Z, m. She randomizes her state by 
applying Z^X^ to the first qubit and Z"^X^ to the second. Then she gives the qubits to Bob, 
who is supposed to perform a controlled-NOT gate and return them to Alice. Note that by ^ 
applied to each of the two qubits, Bob's density matrix is maximally mixed, independent of 
Alice's state. Supposing that Bob performs the controlled-NOT gate as requested, Ahce must 
correct the encoded qubits so that the overall interaction is a controlled-NOT. If j = 1, then 
the target bit was inverted based on an inverted control bit, so she must apply X^ to the 
target. She then fixes the target bit by applying X'Z™ and the control bit by applying X^ Z^ . 
However, if m = 1, she has also performed a controlled- (—1) gate due to the anticommutation 
of X and Z. This can be fixed by applying Z™ to the control bit. The resulting circuit is 
shown in Fig. 2| 

Although the 7r/8 gate is only a one-qubit gate, this operation is more complicated to 
implement: Alice and Bob must use a two-round protocol, as we prove in the next section. 
In total, Alice needs four random classical bits j,k,l,m. First, she randomizes her quantum 
state by applying Z^XK She then gives it to Bob (whose density matrix, again by ((2Jl, is 
maximally mixed), and if he is honest, he applies a 7r/8 gate and gives it back to Alice. She 
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Fig. 4. Secure assisted controIled-NOT gate. 
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Fig. 5. Secure assisted tt/S gate. A vertical line with two X symbols indicates a SWAP gate, 
classically controlled on the value of j as indicated. 



can undo her randomization by applying . The Z operation commutes with T, so it does 

not create any problems. However, XTX — (up to an overall phase), which differs from 
T by := T^, a gate that Alice cannot perform. But she can have Bob do it for her, again 
encoding the qubit using (O, and since S"^ = Z, she will be able to undo the randomization 
herself. If she only asks Bob to help her perform S when j = 1, this tells him the value of j. 
But Alice can avoid revealing j by always asking Bob to participate in the second round, but 
operating on a dummy qubit when j = 0. The complete circuit is shown in Fig. El Assuming 
Bob is honest, this circuit is equivalent to the 7r/8 gate up to an irrelevant overall phase. 

4 The Gottesman-Chuang hierarchy 

In this section, we explain the existence of the gate constructions discussed in the previous 
section using a hierarchy of gates presented by Gottesman and Chuang [52] . We show that 
the gates that can be realized using a fc-round protocol are exactly those in the (fc+ l)th level 
of this hierarchy. 

A single-round protocol for a secure assisted gate U on n qubits requires that 

D,UEj = U Vj, (6) 

where Ej, Dj are Alice's encoding and decoding operators. Let Ci denote the Pauli group on 
n qubits; that is, all operators that are tensor products of n Pauli operators. Furthermore, 
let Cf denote those operators that can be written as a product of Pauli group elements 
and permutations of the qubits (i.e., products of swap gates). Gates in Cf are exactly the 
operations that Alice can perform without assistance, so Ej,Dj e Cf V j. For simplicity, 
we will assume that Alice uses the encoding where Ej runs over all elements of Ci, each 
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with probabihty pj = 2 ". (More generaUy, Ahce could choose to include swap gates in her 
encoding, but this would not affect our conclusions.) The decoding operations are specified 
by 

d, = ue]uK (7) 

Thus the requirement Dj G Cf allows us to classify the possible /7's that can be realized in 
this way: U must come from the set 

:= {U : C/Cit/'f C Cf } . (8) 

It is not hard to show that in fact'' 

Cf = C2 := {U : [/Cit/t C Ci} . (9) 

The set C2 forms a well known group, the Clifford group \2'A\ . Any gates in this group, such 
as the Hadamard and CNOT gates, can be realized with a one-round protocol. 

If Alice and Bob are willing to use a two-round protocol, they can do more gates. By the 
preceding discussion. Bob must do a gate from C2 in the second round. However, in the first 
round, he can do any gate from 

C3 := {U : UCiU^ C C2} , (10) 

e.g., the 7r/8 gate (or the TofFoli or Fredkin gate). Different encoding/decoding pairs may 
require Bob to do different things in the second round, but if Alice uses the SWAP trick intro- 
duced in the secure tt/S gate construction, this need not provide him with any information. 
By induction, we see that in k rounds, Alice and Bob can securely perform any gate in the 
set 

Cfc :={[/: UCiU^CCk-i}. (11) 

Note that gates in C2 are not sufficient for universal computation. However, universal quan- 
tum computation can be done using C3 gates. 

At first glance, it may seem that the form of © is too restrictive. Why should Bob have 
to perform exactly the gate Alice wants? In other words, shouldn't we consider protocols of 
the form 

DjVE.^U Vj, (12) 

where V ^ Ul The answer is no, because if such a scheme exists, we can easily turn it into a 
scheme where V = U: we have V = dIueI, which can be substituted into H12|l to give 

U = DjDIueIEj . (13) 

By using the modified encoding operations Ej ~ EqEj and decoding operations D'j ~ DjD\, 
Alice can ask Bob to perform U instead of V . Thus there is no loss of generality in the choice 



''I thank Wim van Dam for a discussion of this point. 



8 Secure assisted quantum computation 



5 Secure assisted classical gates 

It is interesting to contrast tliese protocols for secure assisted quantum gates with the cor- 
responding problem for reversible classical computers. If Alice cannot do universal classical 
computation, is it possible for Bob to assist her in a secure way? The answer is no: secure 
assisted universality can only be achieved in a meaningful way in the quantum setting. This 
is essentially because the ability to do classical operations is assumed in the quantum case, 
so classically controlled quantum gates are no more difficult to implement than unconditional 
quantum gates; but a classically controlled classical gate can be a more powerful resource 
than the original classical gate. For example, the controUed-NOT gate is not universal for 
classical computation, but a controUed-controUed-NOT (more commonly known as a Toffoli 
gate) is universal. 

To see why secure assisted classical universality is not possible, we introduce a classical 
analogue of the Gottesman-Chuang hierarchy. For n-bit gates, let Ci denote gates that are 
tensor products of n identity and not gates. Also, let 

Ck:^{P: PC\p-'cCk-i} (14) 

denote the set of classical gates (permutations) that map Ci gates into Ck-i gates under con- 
jugation. Just as in the quantum case, gates in C2 are not sufRcient for universal computation, 
but there are gates from C3 (e.g., the Toffoli and Fredkin gates) that are universal. Thus the 
natural restriction on Alice's gate set is to allow her to do only C2 gates. In particular, since 
she must use gates that are controlled based on the values of her random key bits, she will be 
interested in using controUed-Ci gates, all of which are in C2- However, with a single-round 
protocol, she can only use controlled- Ci gates to build C2 gates on her computational bits, 
which gives her no additional computational power. Since she cannot perform the controUed- 
SWAP (Fredkin) gate, she cannot securely perform a multi-round protocol. Thus there is no 
way for her to achieve secure assisted universality. 

However, there are particular examples in which Alice and Bob can perform a computation 
securely even in the classical case. Some work along these lines was mentioned in Section^ 
but a simple example that shows the advantage of having a particular problem in mind is 
the following. Suppose Alice would like to find a satisfying assignment for a Boolean formula 
containing n variables. Alice generates n random bits, one for each of the variables in the 
formula. If the bit corresponding to a particular variable is zero, she does nothing; if that 
bit is one, she inverts the variable wherever it appears in the formula. She then tells Bob 
the formula, and if he is honest, he gives her a satisfying assignment. To find a satisfying 
assignment for her original problem, she flips the bits corresponding to the variables that were 
inverted in the formula she gave to Bob. Although Bob can learn a lot about the structure 
of the problem, he cannot learn the particular satisfying assignment of her original problem.'^ 

6 Keeping Bob honest 

The primary weakness of these protocols is that although he can learn nothing about the states 
Alice gives him. Bob can easily prevent her from performing her computation. He could simply 
not return her qubits, or worse yet, he could ruin the computation by performing the wrong 



'^I thank Sam Gutmann for suggesting this example. 
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gate. This weakness is inherited from the private quantum channel, and there is no way to 
avoid it altogether. However, although she cannot force Bob to help her, there may be simple 
ways for Alice to detect whether Bob is cheating. 

If Alice is asking Bob to help her solve a problem in the computational complexity class 
NP, there is a particularly simple way for her to check his honesty. Presumably, Alice is asking 
for Bob's help because the problem can be solved much faster on a quantum computer than 
on a classical computer — for example, she might ask him to help her perform Shor's algorithm 
to factor a number. But if Alice has access to a classical computer and the problem is in NP, 
she can easily check the solution to see if it is right. In the example of factoring, Alice simply 
multiplies the resulting factors to see if they give her input. 

However, what if Alice cannot readily check the solution? Can she still efficiently detect 
whether Bob is cheating? Intuitively, it seems that Alice should be able to gain some con- 
fidence that Bob is behaving honestly by performing tests of his actions using a randomly 
chosen subset of her inputs. If these tests fully characterize Bob's operations, they can be 
used to bound the probability that Bob is cheating. Indeed, such a procedure provides an 
efficient way to check whether Bob is cheating in the restricted scenario in which he must act 
as a memory less black box, as can be shown using ideas along the lines of |24|. However, in 
general. Bob could introduce errors adversarially rather than randomly, which presents a more 
difficult verification problem. We leave the general adversarial scenario as an open problem. 
A solution to this problem might also be relevant to fault-tolerant quantum computing, where 
the assumption that Bob acts as a memoryless black box corresponds to an assumption of 
independent errors, and the general adversarial scenario accommodates errors of the most 
general type (which are hopefully nevertheless small). 

7 Discussion 

We have shown that it is possible for a party who cannot do universal quantum computation 
(Alice) to have her computational power augmented by another party (Bob) without com- 
promising the security of the computation. Furthermore, we have briefly discussed ways of 
detecting whether Bob is truly being helpful — a problem that deserves further study. The 
protocols we have described, and more general protocols for verifying the validity of Bob's ac- 
tions, might prove useful for assuring the security of certain quantum information processing 
tasks. 

We have focused on preventing Bob from obtaining information about the states Alice 
gives him, and we have not considered the information he might obtain from the particular 
gates Alice asks him to perform. We can imagine that she might want to prevent him from 
learning something this way. For example, in the context of programmable gates, Vidal and 
Cirac considered a different scenario in which Bob can learn Alice's input, but she does not 
want him to know the function she is trying to compute !25!. In the context of the present 
paper, it is not particularly difficult to prevent Bob from learning the function. The protocol 
can simply consist of Bob performing a fixed sequence of gates, cycling through Hadamard, 
CNOT, and 7r/8. If a particular gate is not needed, she can supply Bob with junk qubits. With 
this protocol, the number of gates is increased by at most a factor of three. Since Alice does 
not send any classical information to Bob to describe her circuit, and since we have already 
established that he can learn nothing from her quantum states, it follows that he cannot learn 
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anything about which gates are being used. The only thing Bob can learn is the length of the 
protocol, i.e., the total number of gates Alice has him perform. Even this meager amount of 
information can be reduced (although not eliminated), since Alice is free to add additional 
unnecessary gate requests, so that Bob can only learn an upper bound on the number of gates 
in Alice's circuit. 

Note that there is an analogy between programmable gates and secure assisted gates: 
whereas programmable gates generalize identity teleportation to gate teleportation, secure 
assisted gates generalize an identity private quantum channel to a private quantum channel 
that performs a gate. Furthermore, the Gottesman-Chuang hierarchy plays a similar role in 
the construction of gate teleportation circuits j26| and in showing that two-qubit measure- 
ments are universal for quantum computation |27| . 

There are many possible variants of this problem depending on the resources Alice and Bob 
are allowed to use. For example, if Alice is only allowed to perform single-qubit measurements, 
Bob can supply her with a cluster state |2H|- Perhaps other resource limitations would lead 
to interesting forms of secure assisted quantum computation. 

Finally, it might be useful to consider restricting the total amount of information transfer. 
We have assumed that Alice and Bob have an inexpensive quantum channel, so they can send 
quantum states back and forth as many times as they wish. But this may not be a realistic 
assumption. If Alice and Bob are connected only by a very slow or expensive channel — or 
perhaps only by a classical channel, with a small reserve of prior shared entanglement — can 
they still accomplish interesting computational tasks? In other words, can they perform 
secure remote quantum computation? We should not expect Bob to enable Alice to do secure 
universal computation on remote data, but she might nevertheless be able to perform certain 
tasks securely. 
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